Loading...
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27
28#include <linux/export.h>
29#include <linux/debugfs.h>
30#include <linux/sched/signal.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
35#include <net/bluetooth/rfcomm.h>
36
37static const struct proto_ops rfcomm_sock_ops;
38
39static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41};
42
43static void rfcomm_sock_close(struct sock *sk);
44static void rfcomm_sock_kill(struct sock *sk);
45
46/* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51{
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62}
63
64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65{
66 struct sock *sk = d->owner, *parent;
67 unsigned long flags;
68
69 if (!sk)
70 return;
71
72 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
73
74 local_irq_save(flags);
75 bh_lock_sock(sk);
76
77 if (err)
78 sk->sk_err = err;
79
80 sk->sk_state = d->state;
81
82 parent = bt_sk(sk)->parent;
83 if (parent) {
84 if (d->state == BT_CLOSED) {
85 sock_set_flag(sk, SOCK_ZAPPED);
86 bt_accept_unlink(sk);
87 }
88 parent->sk_data_ready(parent);
89 } else {
90 if (d->state == BT_CONNECTED)
91 rfcomm_session_getaddr(d->session,
92 &rfcomm_pi(sk)->src, NULL);
93 sk->sk_state_change(sk);
94 }
95
96 bh_unlock_sock(sk);
97 local_irq_restore(flags);
98
99 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
100 /* We have to drop DLC lock here, otherwise
101 * rfcomm_sock_destruct() will dead lock. */
102 rfcomm_dlc_unlock(d);
103 rfcomm_sock_kill(sk);
104 rfcomm_dlc_lock(d);
105 }
106}
107
108/* ---- Socket functions ---- */
109static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
110{
111 struct sock *sk = NULL;
112
113 sk_for_each(sk, &rfcomm_sk_list.head) {
114 if (rfcomm_pi(sk)->channel != channel)
115 continue;
116
117 if (bacmp(&rfcomm_pi(sk)->src, src))
118 continue;
119
120 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
121 break;
122 }
123
124 return sk ? sk : NULL;
125}
126
127/* Find socket with channel and source bdaddr.
128 * Returns closest match.
129 */
130static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
131{
132 struct sock *sk = NULL, *sk1 = NULL;
133
134 read_lock(&rfcomm_sk_list.lock);
135
136 sk_for_each(sk, &rfcomm_sk_list.head) {
137 if (state && sk->sk_state != state)
138 continue;
139
140 if (rfcomm_pi(sk)->channel == channel) {
141 /* Exact match. */
142 if (!bacmp(&rfcomm_pi(sk)->src, src))
143 break;
144
145 /* Closest match */
146 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
147 sk1 = sk;
148 }
149 }
150
151 read_unlock(&rfcomm_sk_list.lock);
152
153 return sk ? sk : sk1;
154}
155
156static void rfcomm_sock_destruct(struct sock *sk)
157{
158 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
159
160 BT_DBG("sk %p dlc %p", sk, d);
161
162 skb_queue_purge(&sk->sk_receive_queue);
163 skb_queue_purge(&sk->sk_write_queue);
164
165 rfcomm_dlc_lock(d);
166 rfcomm_pi(sk)->dlc = NULL;
167
168 /* Detach DLC if it's owned by this socket */
169 if (d->owner == sk)
170 d->owner = NULL;
171 rfcomm_dlc_unlock(d);
172
173 rfcomm_dlc_put(d);
174}
175
176static void rfcomm_sock_cleanup_listen(struct sock *parent)
177{
178 struct sock *sk;
179
180 BT_DBG("parent %p", parent);
181
182 /* Close not yet accepted dlcs */
183 while ((sk = bt_accept_dequeue(parent, NULL))) {
184 rfcomm_sock_close(sk);
185 rfcomm_sock_kill(sk);
186 }
187
188 parent->sk_state = BT_CLOSED;
189 sock_set_flag(parent, SOCK_ZAPPED);
190}
191
192/* Kill socket (only if zapped and orphan)
193 * Must be called on unlocked socket.
194 */
195static void rfcomm_sock_kill(struct sock *sk)
196{
197 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
198 return;
199
200 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
201
202 /* Kill poor orphan */
203 bt_sock_unlink(&rfcomm_sk_list, sk);
204 sock_set_flag(sk, SOCK_DEAD);
205 sock_put(sk);
206}
207
208static void __rfcomm_sock_close(struct sock *sk)
209{
210 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
211
212 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
213
214 switch (sk->sk_state) {
215 case BT_LISTEN:
216 rfcomm_sock_cleanup_listen(sk);
217 break;
218
219 case BT_CONNECT:
220 case BT_CONNECT2:
221 case BT_CONFIG:
222 case BT_CONNECTED:
223 rfcomm_dlc_close(d, 0);
224 /* fall through */
225
226 default:
227 sock_set_flag(sk, SOCK_ZAPPED);
228 break;
229 }
230}
231
232/* Close socket.
233 * Must be called on unlocked socket.
234 */
235static void rfcomm_sock_close(struct sock *sk)
236{
237 lock_sock(sk);
238 __rfcomm_sock_close(sk);
239 release_sock(sk);
240}
241
242static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
243{
244 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
245
246 BT_DBG("sk %p", sk);
247
248 if (parent) {
249 sk->sk_type = parent->sk_type;
250 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
251 &bt_sk(parent)->flags);
252
253 pi->sec_level = rfcomm_pi(parent)->sec_level;
254 pi->role_switch = rfcomm_pi(parent)->role_switch;
255
256 security_sk_clone(parent, sk);
257 } else {
258 pi->dlc->defer_setup = 0;
259
260 pi->sec_level = BT_SECURITY_LOW;
261 pi->role_switch = 0;
262 }
263
264 pi->dlc->sec_level = pi->sec_level;
265 pi->dlc->role_switch = pi->role_switch;
266}
267
268static struct proto rfcomm_proto = {
269 .name = "RFCOMM",
270 .owner = THIS_MODULE,
271 .obj_size = sizeof(struct rfcomm_pinfo)
272};
273
274static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
275{
276 struct rfcomm_dlc *d;
277 struct sock *sk;
278
279 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
280 if (!sk)
281 return NULL;
282
283 sock_init_data(sock, sk);
284 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
285
286 d = rfcomm_dlc_alloc(prio);
287 if (!d) {
288 sk_free(sk);
289 return NULL;
290 }
291
292 d->data_ready = rfcomm_sk_data_ready;
293 d->state_change = rfcomm_sk_state_change;
294
295 rfcomm_pi(sk)->dlc = d;
296 d->owner = sk;
297
298 sk->sk_destruct = rfcomm_sock_destruct;
299 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
300
301 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
302 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
303
304 sock_reset_flag(sk, SOCK_ZAPPED);
305
306 sk->sk_protocol = proto;
307 sk->sk_state = BT_OPEN;
308
309 bt_sock_link(&rfcomm_sk_list, sk);
310
311 BT_DBG("sk %p", sk);
312 return sk;
313}
314
315static int rfcomm_sock_create(struct net *net, struct socket *sock,
316 int protocol, int kern)
317{
318 struct sock *sk;
319
320 BT_DBG("sock %p", sock);
321
322 sock->state = SS_UNCONNECTED;
323
324 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
325 return -ESOCKTNOSUPPORT;
326
327 sock->ops = &rfcomm_sock_ops;
328
329 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
330 if (!sk)
331 return -ENOMEM;
332
333 rfcomm_sock_init(sk, NULL);
334 return 0;
335}
336
337static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
338{
339 struct sockaddr_rc sa;
340 struct sock *sk = sock->sk;
341 int len, err = 0;
342
343 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
344 addr->sa_family != AF_BLUETOOTH)
345 return -EINVAL;
346
347 memset(&sa, 0, sizeof(sa));
348 len = min_t(unsigned int, sizeof(sa), addr_len);
349 memcpy(&sa, addr, len);
350
351 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
352
353 lock_sock(sk);
354
355 if (sk->sk_state != BT_OPEN) {
356 err = -EBADFD;
357 goto done;
358 }
359
360 if (sk->sk_type != SOCK_STREAM) {
361 err = -EINVAL;
362 goto done;
363 }
364
365 write_lock(&rfcomm_sk_list.lock);
366
367 if (sa.rc_channel &&
368 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
369 err = -EADDRINUSE;
370 } else {
371 /* Save source address */
372 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
373 rfcomm_pi(sk)->channel = sa.rc_channel;
374 sk->sk_state = BT_BOUND;
375 }
376
377 write_unlock(&rfcomm_sk_list.lock);
378
379done:
380 release_sock(sk);
381 return err;
382}
383
384static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
385{
386 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
387 struct sock *sk = sock->sk;
388 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
389 int err = 0;
390
391 BT_DBG("sk %p", sk);
392
393 if (alen < sizeof(struct sockaddr_rc) ||
394 addr->sa_family != AF_BLUETOOTH)
395 return -EINVAL;
396
397 lock_sock(sk);
398
399 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
400 err = -EBADFD;
401 goto done;
402 }
403
404 if (sk->sk_type != SOCK_STREAM) {
405 err = -EINVAL;
406 goto done;
407 }
408
409 sk->sk_state = BT_CONNECT;
410 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
411 rfcomm_pi(sk)->channel = sa->rc_channel;
412
413 d->sec_level = rfcomm_pi(sk)->sec_level;
414 d->role_switch = rfcomm_pi(sk)->role_switch;
415
416 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
417 sa->rc_channel);
418 if (!err)
419 err = bt_sock_wait_state(sk, BT_CONNECTED,
420 sock_sndtimeo(sk, flags & O_NONBLOCK));
421
422done:
423 release_sock(sk);
424 return err;
425}
426
427static int rfcomm_sock_listen(struct socket *sock, int backlog)
428{
429 struct sock *sk = sock->sk;
430 int err = 0;
431
432 BT_DBG("sk %p backlog %d", sk, backlog);
433
434 lock_sock(sk);
435
436 if (sk->sk_state != BT_BOUND) {
437 err = -EBADFD;
438 goto done;
439 }
440
441 if (sk->sk_type != SOCK_STREAM) {
442 err = -EINVAL;
443 goto done;
444 }
445
446 if (!rfcomm_pi(sk)->channel) {
447 bdaddr_t *src = &rfcomm_pi(sk)->src;
448 u8 channel;
449
450 err = -EINVAL;
451
452 write_lock(&rfcomm_sk_list.lock);
453
454 for (channel = 1; channel < 31; channel++)
455 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
456 rfcomm_pi(sk)->channel = channel;
457 err = 0;
458 break;
459 }
460
461 write_unlock(&rfcomm_sk_list.lock);
462
463 if (err < 0)
464 goto done;
465 }
466
467 sk->sk_max_ack_backlog = backlog;
468 sk->sk_ack_backlog = 0;
469 sk->sk_state = BT_LISTEN;
470
471done:
472 release_sock(sk);
473 return err;
474}
475
476static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
477 bool kern)
478{
479 DEFINE_WAIT_FUNC(wait, woken_wake_function);
480 struct sock *sk = sock->sk, *nsk;
481 long timeo;
482 int err = 0;
483
484 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
485
486 if (sk->sk_type != SOCK_STREAM) {
487 err = -EINVAL;
488 goto done;
489 }
490
491 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
492
493 BT_DBG("sk %p timeo %ld", sk, timeo);
494
495 /* Wait for an incoming connection. (wake-one). */
496 add_wait_queue_exclusive(sk_sleep(sk), &wait);
497 while (1) {
498 if (sk->sk_state != BT_LISTEN) {
499 err = -EBADFD;
500 break;
501 }
502
503 nsk = bt_accept_dequeue(sk, newsock);
504 if (nsk)
505 break;
506
507 if (!timeo) {
508 err = -EAGAIN;
509 break;
510 }
511
512 if (signal_pending(current)) {
513 err = sock_intr_errno(timeo);
514 break;
515 }
516
517 release_sock(sk);
518
519 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
520
521 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
522 }
523 remove_wait_queue(sk_sleep(sk), &wait);
524
525 if (err)
526 goto done;
527
528 newsock->state = SS_CONNECTED;
529
530 BT_DBG("new socket %p", nsk);
531
532done:
533 release_sock(sk);
534 return err;
535}
536
537static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
538{
539 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
540 struct sock *sk = sock->sk;
541
542 BT_DBG("sock %p, sk %p", sock, sk);
543
544 if (peer && sk->sk_state != BT_CONNECTED &&
545 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
546 return -ENOTCONN;
547
548 memset(sa, 0, sizeof(*sa));
549 sa->rc_family = AF_BLUETOOTH;
550 sa->rc_channel = rfcomm_pi(sk)->channel;
551 if (peer)
552 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
553 else
554 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
555
556 return sizeof(struct sockaddr_rc);
557}
558
559static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
560 size_t len)
561{
562 struct sock *sk = sock->sk;
563 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
564 struct sk_buff *skb;
565 int sent;
566
567 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
568 return -ENOTCONN;
569
570 if (msg->msg_flags & MSG_OOB)
571 return -EOPNOTSUPP;
572
573 if (sk->sk_shutdown & SEND_SHUTDOWN)
574 return -EPIPE;
575
576 BT_DBG("sock %p, sk %p", sock, sk);
577
578 lock_sock(sk);
579
580 sent = bt_sock_wait_ready(sk, msg->msg_flags);
581 if (sent)
582 goto done;
583
584 while (len) {
585 size_t size = min_t(size_t, len, d->mtu);
586 int err;
587
588 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
589 msg->msg_flags & MSG_DONTWAIT, &err);
590 if (!skb) {
591 if (sent == 0)
592 sent = err;
593 break;
594 }
595 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
596
597 err = memcpy_from_msg(skb_put(skb, size), msg, size);
598 if (err) {
599 kfree_skb(skb);
600 if (sent == 0)
601 sent = err;
602 break;
603 }
604
605 skb->priority = sk->sk_priority;
606
607 err = rfcomm_dlc_send(d, skb);
608 if (err < 0) {
609 kfree_skb(skb);
610 if (sent == 0)
611 sent = err;
612 break;
613 }
614
615 sent += size;
616 len -= size;
617 }
618
619done:
620 release_sock(sk);
621
622 return sent;
623}
624
625static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
626 size_t size, int flags)
627{
628 struct sock *sk = sock->sk;
629 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
630 int len;
631
632 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
633 rfcomm_dlc_accept(d);
634 return 0;
635 }
636
637 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
638
639 lock_sock(sk);
640 if (!(flags & MSG_PEEK) && len > 0)
641 atomic_sub(len, &sk->sk_rmem_alloc);
642
643 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
644 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
645 release_sock(sk);
646
647 return len;
648}
649
650static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
651{
652 struct sock *sk = sock->sk;
653 int err = 0;
654 u32 opt;
655
656 BT_DBG("sk %p", sk);
657
658 lock_sock(sk);
659
660 switch (optname) {
661 case RFCOMM_LM:
662 if (get_user(opt, (u32 __user *) optval)) {
663 err = -EFAULT;
664 break;
665 }
666
667 if (opt & RFCOMM_LM_FIPS) {
668 err = -EINVAL;
669 break;
670 }
671
672 if (opt & RFCOMM_LM_AUTH)
673 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
674 if (opt & RFCOMM_LM_ENCRYPT)
675 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
676 if (opt & RFCOMM_LM_SECURE)
677 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
678
679 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
680 break;
681
682 default:
683 err = -ENOPROTOOPT;
684 break;
685 }
686
687 release_sock(sk);
688 return err;
689}
690
691static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
692{
693 struct sock *sk = sock->sk;
694 struct bt_security sec;
695 int err = 0;
696 size_t len;
697 u32 opt;
698
699 BT_DBG("sk %p", sk);
700
701 if (level == SOL_RFCOMM)
702 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
703
704 if (level != SOL_BLUETOOTH)
705 return -ENOPROTOOPT;
706
707 lock_sock(sk);
708
709 switch (optname) {
710 case BT_SECURITY:
711 if (sk->sk_type != SOCK_STREAM) {
712 err = -EINVAL;
713 break;
714 }
715
716 sec.level = BT_SECURITY_LOW;
717
718 len = min_t(unsigned int, sizeof(sec), optlen);
719 if (copy_from_user((char *) &sec, optval, len)) {
720 err = -EFAULT;
721 break;
722 }
723
724 if (sec.level > BT_SECURITY_HIGH) {
725 err = -EINVAL;
726 break;
727 }
728
729 rfcomm_pi(sk)->sec_level = sec.level;
730 break;
731
732 case BT_DEFER_SETUP:
733 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
734 err = -EINVAL;
735 break;
736 }
737
738 if (get_user(opt, (u32 __user *) optval)) {
739 err = -EFAULT;
740 break;
741 }
742
743 if (opt)
744 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
745 else
746 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
747
748 break;
749
750 default:
751 err = -ENOPROTOOPT;
752 break;
753 }
754
755 release_sock(sk);
756 return err;
757}
758
759static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
760{
761 struct sock *sk = sock->sk;
762 struct sock *l2cap_sk;
763 struct l2cap_conn *conn;
764 struct rfcomm_conninfo cinfo;
765 int len, err = 0;
766 u32 opt;
767
768 BT_DBG("sk %p", sk);
769
770 if (get_user(len, optlen))
771 return -EFAULT;
772
773 lock_sock(sk);
774
775 switch (optname) {
776 case RFCOMM_LM:
777 switch (rfcomm_pi(sk)->sec_level) {
778 case BT_SECURITY_LOW:
779 opt = RFCOMM_LM_AUTH;
780 break;
781 case BT_SECURITY_MEDIUM:
782 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
783 break;
784 case BT_SECURITY_HIGH:
785 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
786 RFCOMM_LM_SECURE;
787 break;
788 case BT_SECURITY_FIPS:
789 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
790 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
791 break;
792 default:
793 opt = 0;
794 break;
795 }
796
797 if (rfcomm_pi(sk)->role_switch)
798 opt |= RFCOMM_LM_MASTER;
799
800 if (put_user(opt, (u32 __user *) optval))
801 err = -EFAULT;
802
803 break;
804
805 case RFCOMM_CONNINFO:
806 if (sk->sk_state != BT_CONNECTED &&
807 !rfcomm_pi(sk)->dlc->defer_setup) {
808 err = -ENOTCONN;
809 break;
810 }
811
812 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
813 conn = l2cap_pi(l2cap_sk)->chan->conn;
814
815 memset(&cinfo, 0, sizeof(cinfo));
816 cinfo.hci_handle = conn->hcon->handle;
817 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
818
819 len = min_t(unsigned int, len, sizeof(cinfo));
820 if (copy_to_user(optval, (char *) &cinfo, len))
821 err = -EFAULT;
822
823 break;
824
825 default:
826 err = -ENOPROTOOPT;
827 break;
828 }
829
830 release_sock(sk);
831 return err;
832}
833
834static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
835{
836 struct sock *sk = sock->sk;
837 struct bt_security sec;
838 int len, err = 0;
839
840 BT_DBG("sk %p", sk);
841
842 if (level == SOL_RFCOMM)
843 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
844
845 if (level != SOL_BLUETOOTH)
846 return -ENOPROTOOPT;
847
848 if (get_user(len, optlen))
849 return -EFAULT;
850
851 lock_sock(sk);
852
853 switch (optname) {
854 case BT_SECURITY:
855 if (sk->sk_type != SOCK_STREAM) {
856 err = -EINVAL;
857 break;
858 }
859
860 sec.level = rfcomm_pi(sk)->sec_level;
861 sec.key_size = 0;
862
863 len = min_t(unsigned int, len, sizeof(sec));
864 if (copy_to_user(optval, (char *) &sec, len))
865 err = -EFAULT;
866
867 break;
868
869 case BT_DEFER_SETUP:
870 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
871 err = -EINVAL;
872 break;
873 }
874
875 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
876 (u32 __user *) optval))
877 err = -EFAULT;
878
879 break;
880
881 default:
882 err = -ENOPROTOOPT;
883 break;
884 }
885
886 release_sock(sk);
887 return err;
888}
889
890static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
891{
892 struct sock *sk __maybe_unused = sock->sk;
893 int err;
894
895 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
896
897 err = bt_sock_ioctl(sock, cmd, arg);
898
899 if (err == -ENOIOCTLCMD) {
900#ifdef CONFIG_BT_RFCOMM_TTY
901 lock_sock(sk);
902 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
903 release_sock(sk);
904#else
905 err = -EOPNOTSUPP;
906#endif
907 }
908
909 return err;
910}
911
912static int rfcomm_sock_shutdown(struct socket *sock, int how)
913{
914 struct sock *sk = sock->sk;
915 int err = 0;
916
917 BT_DBG("sock %p, sk %p", sock, sk);
918
919 if (!sk)
920 return 0;
921
922 lock_sock(sk);
923 if (!sk->sk_shutdown) {
924 sk->sk_shutdown = SHUTDOWN_MASK;
925 __rfcomm_sock_close(sk);
926
927 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
928 !(current->flags & PF_EXITING))
929 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
930 }
931 release_sock(sk);
932 return err;
933}
934
935static int rfcomm_sock_release(struct socket *sock)
936{
937 struct sock *sk = sock->sk;
938 int err;
939
940 BT_DBG("sock %p, sk %p", sock, sk);
941
942 if (!sk)
943 return 0;
944
945 err = rfcomm_sock_shutdown(sock, 2);
946
947 sock_orphan(sk);
948 rfcomm_sock_kill(sk);
949 return err;
950}
951
952/* ---- RFCOMM core layer callbacks ----
953 *
954 * called under rfcomm_lock()
955 */
956int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
957{
958 struct sock *sk, *parent;
959 bdaddr_t src, dst;
960 int result = 0;
961
962 BT_DBG("session %p channel %d", s, channel);
963
964 rfcomm_session_getaddr(s, &src, &dst);
965
966 /* Check if we have socket listening on channel */
967 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
968 if (!parent)
969 return 0;
970
971 bh_lock_sock(parent);
972
973 /* Check for backlog size */
974 if (sk_acceptq_is_full(parent)) {
975 BT_DBG("backlog full %d", parent->sk_ack_backlog);
976 goto done;
977 }
978
979 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
980 if (!sk)
981 goto done;
982
983 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
984
985 rfcomm_sock_init(sk, parent);
986 bacpy(&rfcomm_pi(sk)->src, &src);
987 bacpy(&rfcomm_pi(sk)->dst, &dst);
988 rfcomm_pi(sk)->channel = channel;
989
990 sk->sk_state = BT_CONFIG;
991 bt_accept_enqueue(parent, sk, true);
992
993 /* Accept connection and return socket DLC */
994 *d = rfcomm_pi(sk)->dlc;
995 result = 1;
996
997done:
998 bh_unlock_sock(parent);
999
1000 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1001 parent->sk_state_change(parent);
1002
1003 return result;
1004}
1005
1006static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1007{
1008 struct sock *sk;
1009
1010 read_lock(&rfcomm_sk_list.lock);
1011
1012 sk_for_each(sk, &rfcomm_sk_list.head) {
1013 seq_printf(f, "%pMR %pMR %d %d\n",
1014 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1015 sk->sk_state, rfcomm_pi(sk)->channel);
1016 }
1017
1018 read_unlock(&rfcomm_sk_list.lock);
1019
1020 return 0;
1021}
1022
1023DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1024
1025static struct dentry *rfcomm_sock_debugfs;
1026
1027static const struct proto_ops rfcomm_sock_ops = {
1028 .family = PF_BLUETOOTH,
1029 .owner = THIS_MODULE,
1030 .release = rfcomm_sock_release,
1031 .bind = rfcomm_sock_bind,
1032 .connect = rfcomm_sock_connect,
1033 .listen = rfcomm_sock_listen,
1034 .accept = rfcomm_sock_accept,
1035 .getname = rfcomm_sock_getname,
1036 .sendmsg = rfcomm_sock_sendmsg,
1037 .recvmsg = rfcomm_sock_recvmsg,
1038 .shutdown = rfcomm_sock_shutdown,
1039 .setsockopt = rfcomm_sock_setsockopt,
1040 .getsockopt = rfcomm_sock_getsockopt,
1041 .ioctl = rfcomm_sock_ioctl,
1042 .gettstamp = sock_gettstamp,
1043 .poll = bt_sock_poll,
1044 .socketpair = sock_no_socketpair,
1045 .mmap = sock_no_mmap
1046};
1047
1048static const struct net_proto_family rfcomm_sock_family_ops = {
1049 .family = PF_BLUETOOTH,
1050 .owner = THIS_MODULE,
1051 .create = rfcomm_sock_create
1052};
1053
1054int __init rfcomm_init_sockets(void)
1055{
1056 int err;
1057
1058 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1059
1060 err = proto_register(&rfcomm_proto, 0);
1061 if (err < 0)
1062 return err;
1063
1064 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1065 if (err < 0) {
1066 BT_ERR("RFCOMM socket layer registration failed");
1067 goto error;
1068 }
1069
1070 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1071 if (err < 0) {
1072 BT_ERR("Failed to create RFCOMM proc file");
1073 bt_sock_unregister(BTPROTO_RFCOMM);
1074 goto error;
1075 }
1076
1077 BT_INFO("RFCOMM socket layer initialized");
1078
1079 if (IS_ERR_OR_NULL(bt_debugfs))
1080 return 0;
1081
1082 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1083 bt_debugfs, NULL,
1084 &rfcomm_sock_debugfs_fops);
1085
1086 return 0;
1087
1088error:
1089 proto_unregister(&rfcomm_proto);
1090 return err;
1091}
1092
1093void __exit rfcomm_cleanup_sockets(void)
1094{
1095 bt_procfs_cleanup(&init_net, "rfcomm");
1096
1097 debugfs_remove(rfcomm_sock_debugfs);
1098
1099 bt_sock_unregister(BTPROTO_RFCOMM);
1100
1101 proto_unregister(&rfcomm_proto);
1102}
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27
28#include <linux/export.h>
29#include <linux/debugfs.h>
30#include <linux/sched/signal.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
35#include <net/bluetooth/rfcomm.h>
36
37static const struct proto_ops rfcomm_sock_ops;
38
39static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41};
42
43static void rfcomm_sock_close(struct sock *sk);
44static void rfcomm_sock_kill(struct sock *sk);
45
46/* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51{
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62}
63
64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65{
66 struct sock *sk = d->owner, *parent;
67 unsigned long flags;
68
69 if (!sk)
70 return;
71
72 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
73
74 local_irq_save(flags);
75 bh_lock_sock(sk);
76
77 if (err)
78 sk->sk_err = err;
79
80 sk->sk_state = d->state;
81
82 parent = bt_sk(sk)->parent;
83 if (parent) {
84 if (d->state == BT_CLOSED) {
85 sock_set_flag(sk, SOCK_ZAPPED);
86 bt_accept_unlink(sk);
87 }
88 parent->sk_data_ready(parent);
89 } else {
90 if (d->state == BT_CONNECTED)
91 rfcomm_session_getaddr(d->session,
92 &rfcomm_pi(sk)->src, NULL);
93 sk->sk_state_change(sk);
94 }
95
96 bh_unlock_sock(sk);
97 local_irq_restore(flags);
98
99 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
100 /* We have to drop DLC lock here, otherwise
101 * rfcomm_sock_destruct() will dead lock. */
102 rfcomm_dlc_unlock(d);
103 rfcomm_sock_kill(sk);
104 rfcomm_dlc_lock(d);
105 }
106}
107
108/* ---- Socket functions ---- */
109static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
110{
111 struct sock *sk = NULL;
112
113 sk_for_each(sk, &rfcomm_sk_list.head) {
114 if (rfcomm_pi(sk)->channel != channel)
115 continue;
116
117 if (bacmp(&rfcomm_pi(sk)->src, src))
118 continue;
119
120 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
121 break;
122 }
123
124 return sk ? sk : NULL;
125}
126
127/* Find socket with channel and source bdaddr.
128 * Returns closest match.
129 */
130static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
131{
132 struct sock *sk = NULL, *sk1 = NULL;
133
134 read_lock(&rfcomm_sk_list.lock);
135
136 sk_for_each(sk, &rfcomm_sk_list.head) {
137 if (state && sk->sk_state != state)
138 continue;
139
140 if (rfcomm_pi(sk)->channel == channel) {
141 /* Exact match. */
142 if (!bacmp(&rfcomm_pi(sk)->src, src))
143 break;
144
145 /* Closest match */
146 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
147 sk1 = sk;
148 }
149 }
150
151 read_unlock(&rfcomm_sk_list.lock);
152
153 return sk ? sk : sk1;
154}
155
156static void rfcomm_sock_destruct(struct sock *sk)
157{
158 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
159
160 BT_DBG("sk %p dlc %p", sk, d);
161
162 skb_queue_purge(&sk->sk_receive_queue);
163 skb_queue_purge(&sk->sk_write_queue);
164
165 rfcomm_dlc_lock(d);
166 rfcomm_pi(sk)->dlc = NULL;
167
168 /* Detach DLC if it's owned by this socket */
169 if (d->owner == sk)
170 d->owner = NULL;
171 rfcomm_dlc_unlock(d);
172
173 rfcomm_dlc_put(d);
174}
175
176static void rfcomm_sock_cleanup_listen(struct sock *parent)
177{
178 struct sock *sk;
179
180 BT_DBG("parent %p", parent);
181
182 /* Close not yet accepted dlcs */
183 while ((sk = bt_accept_dequeue(parent, NULL))) {
184 rfcomm_sock_close(sk);
185 rfcomm_sock_kill(sk);
186 }
187
188 parent->sk_state = BT_CLOSED;
189 sock_set_flag(parent, SOCK_ZAPPED);
190}
191
192/* Kill socket (only if zapped and orphan)
193 * Must be called on unlocked socket.
194 */
195static void rfcomm_sock_kill(struct sock *sk)
196{
197 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
198 return;
199
200 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
201
202 /* Kill poor orphan */
203 bt_sock_unlink(&rfcomm_sk_list, sk);
204 sock_set_flag(sk, SOCK_DEAD);
205 sock_put(sk);
206}
207
208static void __rfcomm_sock_close(struct sock *sk)
209{
210 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
211
212 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
213
214 switch (sk->sk_state) {
215 case BT_LISTEN:
216 rfcomm_sock_cleanup_listen(sk);
217 break;
218
219 case BT_CONNECT:
220 case BT_CONNECT2:
221 case BT_CONFIG:
222 case BT_CONNECTED:
223 rfcomm_dlc_close(d, 0);
224 /* fall through */
225
226 default:
227 sock_set_flag(sk, SOCK_ZAPPED);
228 break;
229 }
230}
231
232/* Close socket.
233 * Must be called on unlocked socket.
234 */
235static void rfcomm_sock_close(struct sock *sk)
236{
237 lock_sock(sk);
238 __rfcomm_sock_close(sk);
239 release_sock(sk);
240}
241
242static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
243{
244 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
245
246 BT_DBG("sk %p", sk);
247
248 if (parent) {
249 sk->sk_type = parent->sk_type;
250 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
251 &bt_sk(parent)->flags);
252
253 pi->sec_level = rfcomm_pi(parent)->sec_level;
254 pi->role_switch = rfcomm_pi(parent)->role_switch;
255
256 security_sk_clone(parent, sk);
257 } else {
258 pi->dlc->defer_setup = 0;
259
260 pi->sec_level = BT_SECURITY_LOW;
261 pi->role_switch = 0;
262 }
263
264 pi->dlc->sec_level = pi->sec_level;
265 pi->dlc->role_switch = pi->role_switch;
266}
267
268static struct proto rfcomm_proto = {
269 .name = "RFCOMM",
270 .owner = THIS_MODULE,
271 .obj_size = sizeof(struct rfcomm_pinfo)
272};
273
274static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
275{
276 struct rfcomm_dlc *d;
277 struct sock *sk;
278
279 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
280 if (!sk)
281 return NULL;
282
283 sock_init_data(sock, sk);
284 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
285
286 d = rfcomm_dlc_alloc(prio);
287 if (!d) {
288 sk_free(sk);
289 return NULL;
290 }
291
292 d->data_ready = rfcomm_sk_data_ready;
293 d->state_change = rfcomm_sk_state_change;
294
295 rfcomm_pi(sk)->dlc = d;
296 d->owner = sk;
297
298 sk->sk_destruct = rfcomm_sock_destruct;
299 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
300
301 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
302 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
303
304 sock_reset_flag(sk, SOCK_ZAPPED);
305
306 sk->sk_protocol = proto;
307 sk->sk_state = BT_OPEN;
308
309 bt_sock_link(&rfcomm_sk_list, sk);
310
311 BT_DBG("sk %p", sk);
312 return sk;
313}
314
315static int rfcomm_sock_create(struct net *net, struct socket *sock,
316 int protocol, int kern)
317{
318 struct sock *sk;
319
320 BT_DBG("sock %p", sock);
321
322 sock->state = SS_UNCONNECTED;
323
324 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
325 return -ESOCKTNOSUPPORT;
326
327 sock->ops = &rfcomm_sock_ops;
328
329 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
330 if (!sk)
331 return -ENOMEM;
332
333 rfcomm_sock_init(sk, NULL);
334 return 0;
335}
336
337static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
338{
339 struct sockaddr_rc sa;
340 struct sock *sk = sock->sk;
341 int len, err = 0;
342
343 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
344 addr->sa_family != AF_BLUETOOTH)
345 return -EINVAL;
346
347 memset(&sa, 0, sizeof(sa));
348 len = min_t(unsigned int, sizeof(sa), addr_len);
349 memcpy(&sa, addr, len);
350
351 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
352
353 lock_sock(sk);
354
355 if (sk->sk_state != BT_OPEN) {
356 err = -EBADFD;
357 goto done;
358 }
359
360 if (sk->sk_type != SOCK_STREAM) {
361 err = -EINVAL;
362 goto done;
363 }
364
365 write_lock(&rfcomm_sk_list.lock);
366
367 if (sa.rc_channel &&
368 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
369 err = -EADDRINUSE;
370 } else {
371 /* Save source address */
372 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
373 rfcomm_pi(sk)->channel = sa.rc_channel;
374 sk->sk_state = BT_BOUND;
375 }
376
377 write_unlock(&rfcomm_sk_list.lock);
378
379done:
380 release_sock(sk);
381 return err;
382}
383
384static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
385{
386 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
387 struct sock *sk = sock->sk;
388 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
389 int err = 0;
390
391 BT_DBG("sk %p", sk);
392
393 if (alen < sizeof(struct sockaddr_rc) ||
394 addr->sa_family != AF_BLUETOOTH)
395 return -EINVAL;
396
397 lock_sock(sk);
398
399 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
400 err = -EBADFD;
401 goto done;
402 }
403
404 if (sk->sk_type != SOCK_STREAM) {
405 err = -EINVAL;
406 goto done;
407 }
408
409 sk->sk_state = BT_CONNECT;
410 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
411 rfcomm_pi(sk)->channel = sa->rc_channel;
412
413 d->sec_level = rfcomm_pi(sk)->sec_level;
414 d->role_switch = rfcomm_pi(sk)->role_switch;
415
416 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
417 sa->rc_channel);
418 if (!err)
419 err = bt_sock_wait_state(sk, BT_CONNECTED,
420 sock_sndtimeo(sk, flags & O_NONBLOCK));
421
422done:
423 release_sock(sk);
424 return err;
425}
426
427static int rfcomm_sock_listen(struct socket *sock, int backlog)
428{
429 struct sock *sk = sock->sk;
430 int err = 0;
431
432 BT_DBG("sk %p backlog %d", sk, backlog);
433
434 lock_sock(sk);
435
436 if (sk->sk_state != BT_BOUND) {
437 err = -EBADFD;
438 goto done;
439 }
440
441 if (sk->sk_type != SOCK_STREAM) {
442 err = -EINVAL;
443 goto done;
444 }
445
446 if (!rfcomm_pi(sk)->channel) {
447 bdaddr_t *src = &rfcomm_pi(sk)->src;
448 u8 channel;
449
450 err = -EINVAL;
451
452 write_lock(&rfcomm_sk_list.lock);
453
454 for (channel = 1; channel < 31; channel++)
455 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
456 rfcomm_pi(sk)->channel = channel;
457 err = 0;
458 break;
459 }
460
461 write_unlock(&rfcomm_sk_list.lock);
462
463 if (err < 0)
464 goto done;
465 }
466
467 sk->sk_max_ack_backlog = backlog;
468 sk->sk_ack_backlog = 0;
469 sk->sk_state = BT_LISTEN;
470
471done:
472 release_sock(sk);
473 return err;
474}
475
476static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
477 bool kern)
478{
479 DEFINE_WAIT_FUNC(wait, woken_wake_function);
480 struct sock *sk = sock->sk, *nsk;
481 long timeo;
482 int err = 0;
483
484 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
485
486 if (sk->sk_type != SOCK_STREAM) {
487 err = -EINVAL;
488 goto done;
489 }
490
491 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
492
493 BT_DBG("sk %p timeo %ld", sk, timeo);
494
495 /* Wait for an incoming connection. (wake-one). */
496 add_wait_queue_exclusive(sk_sleep(sk), &wait);
497 while (1) {
498 if (sk->sk_state != BT_LISTEN) {
499 err = -EBADFD;
500 break;
501 }
502
503 nsk = bt_accept_dequeue(sk, newsock);
504 if (nsk)
505 break;
506
507 if (!timeo) {
508 err = -EAGAIN;
509 break;
510 }
511
512 if (signal_pending(current)) {
513 err = sock_intr_errno(timeo);
514 break;
515 }
516
517 release_sock(sk);
518
519 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
520
521 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
522 }
523 remove_wait_queue(sk_sleep(sk), &wait);
524
525 if (err)
526 goto done;
527
528 newsock->state = SS_CONNECTED;
529
530 BT_DBG("new socket %p", nsk);
531
532done:
533 release_sock(sk);
534 return err;
535}
536
537static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
538{
539 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
540 struct sock *sk = sock->sk;
541
542 BT_DBG("sock %p, sk %p", sock, sk);
543
544 if (peer && sk->sk_state != BT_CONNECTED &&
545 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
546 return -ENOTCONN;
547
548 memset(sa, 0, sizeof(*sa));
549 sa->rc_family = AF_BLUETOOTH;
550 sa->rc_channel = rfcomm_pi(sk)->channel;
551 if (peer)
552 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
553 else
554 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
555
556 return sizeof(struct sockaddr_rc);
557}
558
559static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
560 size_t len)
561{
562 struct sock *sk = sock->sk;
563 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
564 struct sk_buff *skb;
565 int sent;
566
567 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
568 return -ENOTCONN;
569
570 if (msg->msg_flags & MSG_OOB)
571 return -EOPNOTSUPP;
572
573 if (sk->sk_shutdown & SEND_SHUTDOWN)
574 return -EPIPE;
575
576 BT_DBG("sock %p, sk %p", sock, sk);
577
578 lock_sock(sk);
579
580 sent = bt_sock_wait_ready(sk, msg->msg_flags);
581 if (sent)
582 goto done;
583
584 while (len) {
585 size_t size = min_t(size_t, len, d->mtu);
586 int err;
587
588 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
589 msg->msg_flags & MSG_DONTWAIT, &err);
590 if (!skb) {
591 if (sent == 0)
592 sent = err;
593 break;
594 }
595 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
596
597 err = memcpy_from_msg(skb_put(skb, size), msg, size);
598 if (err) {
599 kfree_skb(skb);
600 if (sent == 0)
601 sent = err;
602 break;
603 }
604
605 skb->priority = sk->sk_priority;
606
607 err = rfcomm_dlc_send(d, skb);
608 if (err < 0) {
609 kfree_skb(skb);
610 if (sent == 0)
611 sent = err;
612 break;
613 }
614
615 sent += size;
616 len -= size;
617 }
618
619done:
620 release_sock(sk);
621
622 return sent;
623}
624
625static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
626 size_t size, int flags)
627{
628 struct sock *sk = sock->sk;
629 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
630 int len;
631
632 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
633 rfcomm_dlc_accept(d);
634 return 0;
635 }
636
637 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
638
639 lock_sock(sk);
640 if (!(flags & MSG_PEEK) && len > 0)
641 atomic_sub(len, &sk->sk_rmem_alloc);
642
643 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
644 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
645 release_sock(sk);
646
647 return len;
648}
649
650static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
651{
652 struct sock *sk = sock->sk;
653 int err = 0;
654 u32 opt;
655
656 BT_DBG("sk %p", sk);
657
658 lock_sock(sk);
659
660 switch (optname) {
661 case RFCOMM_LM:
662 if (get_user(opt, (u32 __user *) optval)) {
663 err = -EFAULT;
664 break;
665 }
666
667 if (opt & RFCOMM_LM_FIPS) {
668 err = -EINVAL;
669 break;
670 }
671
672 if (opt & RFCOMM_LM_AUTH)
673 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
674 if (opt & RFCOMM_LM_ENCRYPT)
675 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
676 if (opt & RFCOMM_LM_SECURE)
677 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
678
679 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
680 break;
681
682 default:
683 err = -ENOPROTOOPT;
684 break;
685 }
686
687 release_sock(sk);
688 return err;
689}
690
691static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
692{
693 struct sock *sk = sock->sk;
694 struct bt_security sec;
695 int err = 0;
696 size_t len;
697 u32 opt;
698
699 BT_DBG("sk %p", sk);
700
701 if (level == SOL_RFCOMM)
702 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
703
704 if (level != SOL_BLUETOOTH)
705 return -ENOPROTOOPT;
706
707 lock_sock(sk);
708
709 switch (optname) {
710 case BT_SECURITY:
711 if (sk->sk_type != SOCK_STREAM) {
712 err = -EINVAL;
713 break;
714 }
715
716 sec.level = BT_SECURITY_LOW;
717
718 len = min_t(unsigned int, sizeof(sec), optlen);
719 if (copy_from_user((char *) &sec, optval, len)) {
720 err = -EFAULT;
721 break;
722 }
723
724 if (sec.level > BT_SECURITY_HIGH) {
725 err = -EINVAL;
726 break;
727 }
728
729 rfcomm_pi(sk)->sec_level = sec.level;
730 break;
731
732 case BT_DEFER_SETUP:
733 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
734 err = -EINVAL;
735 break;
736 }
737
738 if (get_user(opt, (u32 __user *) optval)) {
739 err = -EFAULT;
740 break;
741 }
742
743 if (opt)
744 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
745 else
746 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
747
748 break;
749
750 default:
751 err = -ENOPROTOOPT;
752 break;
753 }
754
755 release_sock(sk);
756 return err;
757}
758
759static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
760{
761 struct sock *sk = sock->sk;
762 struct sock *l2cap_sk;
763 struct l2cap_conn *conn;
764 struct rfcomm_conninfo cinfo;
765 int len, err = 0;
766 u32 opt;
767
768 BT_DBG("sk %p", sk);
769
770 if (get_user(len, optlen))
771 return -EFAULT;
772
773 lock_sock(sk);
774
775 switch (optname) {
776 case RFCOMM_LM:
777 switch (rfcomm_pi(sk)->sec_level) {
778 case BT_SECURITY_LOW:
779 opt = RFCOMM_LM_AUTH;
780 break;
781 case BT_SECURITY_MEDIUM:
782 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
783 break;
784 case BT_SECURITY_HIGH:
785 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
786 RFCOMM_LM_SECURE;
787 break;
788 case BT_SECURITY_FIPS:
789 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
790 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
791 break;
792 default:
793 opt = 0;
794 break;
795 }
796
797 if (rfcomm_pi(sk)->role_switch)
798 opt |= RFCOMM_LM_MASTER;
799
800 if (put_user(opt, (u32 __user *) optval))
801 err = -EFAULT;
802
803 break;
804
805 case RFCOMM_CONNINFO:
806 if (sk->sk_state != BT_CONNECTED &&
807 !rfcomm_pi(sk)->dlc->defer_setup) {
808 err = -ENOTCONN;
809 break;
810 }
811
812 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
813 conn = l2cap_pi(l2cap_sk)->chan->conn;
814
815 memset(&cinfo, 0, sizeof(cinfo));
816 cinfo.hci_handle = conn->hcon->handle;
817 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
818
819 len = min_t(unsigned int, len, sizeof(cinfo));
820 if (copy_to_user(optval, (char *) &cinfo, len))
821 err = -EFAULT;
822
823 break;
824
825 default:
826 err = -ENOPROTOOPT;
827 break;
828 }
829
830 release_sock(sk);
831 return err;
832}
833
834static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
835{
836 struct sock *sk = sock->sk;
837 struct bt_security sec;
838 int len, err = 0;
839
840 BT_DBG("sk %p", sk);
841
842 if (level == SOL_RFCOMM)
843 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
844
845 if (level != SOL_BLUETOOTH)
846 return -ENOPROTOOPT;
847
848 if (get_user(len, optlen))
849 return -EFAULT;
850
851 lock_sock(sk);
852
853 switch (optname) {
854 case BT_SECURITY:
855 if (sk->sk_type != SOCK_STREAM) {
856 err = -EINVAL;
857 break;
858 }
859
860 sec.level = rfcomm_pi(sk)->sec_level;
861 sec.key_size = 0;
862
863 len = min_t(unsigned int, len, sizeof(sec));
864 if (copy_to_user(optval, (char *) &sec, len))
865 err = -EFAULT;
866
867 break;
868
869 case BT_DEFER_SETUP:
870 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
871 err = -EINVAL;
872 break;
873 }
874
875 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
876 (u32 __user *) optval))
877 err = -EFAULT;
878
879 break;
880
881 default:
882 err = -ENOPROTOOPT;
883 break;
884 }
885
886 release_sock(sk);
887 return err;
888}
889
890static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
891{
892 struct sock *sk __maybe_unused = sock->sk;
893 int err;
894
895 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
896
897 err = bt_sock_ioctl(sock, cmd, arg);
898
899 if (err == -ENOIOCTLCMD) {
900#ifdef CONFIG_BT_RFCOMM_TTY
901 lock_sock(sk);
902 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
903 release_sock(sk);
904#else
905 err = -EOPNOTSUPP;
906#endif
907 }
908
909 return err;
910}
911
912static int rfcomm_sock_shutdown(struct socket *sock, int how)
913{
914 struct sock *sk = sock->sk;
915 int err = 0;
916
917 BT_DBG("sock %p, sk %p", sock, sk);
918
919 if (!sk)
920 return 0;
921
922 lock_sock(sk);
923 if (!sk->sk_shutdown) {
924 sk->sk_shutdown = SHUTDOWN_MASK;
925 __rfcomm_sock_close(sk);
926
927 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
928 !(current->flags & PF_EXITING))
929 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
930 }
931 release_sock(sk);
932 return err;
933}
934
935static int rfcomm_sock_release(struct socket *sock)
936{
937 struct sock *sk = sock->sk;
938 int err;
939
940 BT_DBG("sock %p, sk %p", sock, sk);
941
942 if (!sk)
943 return 0;
944
945 err = rfcomm_sock_shutdown(sock, 2);
946
947 sock_orphan(sk);
948 rfcomm_sock_kill(sk);
949 return err;
950}
951
952/* ---- RFCOMM core layer callbacks ----
953 *
954 * called under rfcomm_lock()
955 */
956int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
957{
958 struct sock *sk, *parent;
959 bdaddr_t src, dst;
960 int result = 0;
961
962 BT_DBG("session %p channel %d", s, channel);
963
964 rfcomm_session_getaddr(s, &src, &dst);
965
966 /* Check if we have socket listening on channel */
967 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
968 if (!parent)
969 return 0;
970
971 bh_lock_sock(parent);
972
973 /* Check for backlog size */
974 if (sk_acceptq_is_full(parent)) {
975 BT_DBG("backlog full %d", parent->sk_ack_backlog);
976 goto done;
977 }
978
979 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
980 if (!sk)
981 goto done;
982
983 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
984
985 rfcomm_sock_init(sk, parent);
986 bacpy(&rfcomm_pi(sk)->src, &src);
987 bacpy(&rfcomm_pi(sk)->dst, &dst);
988 rfcomm_pi(sk)->channel = channel;
989
990 sk->sk_state = BT_CONFIG;
991 bt_accept_enqueue(parent, sk);
992
993 /* Accept connection and return socket DLC */
994 *d = rfcomm_pi(sk)->dlc;
995 result = 1;
996
997done:
998 bh_unlock_sock(parent);
999
1000 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1001 parent->sk_state_change(parent);
1002
1003 return result;
1004}
1005
1006static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1007{
1008 struct sock *sk;
1009
1010 read_lock(&rfcomm_sk_list.lock);
1011
1012 sk_for_each(sk, &rfcomm_sk_list.head) {
1013 seq_printf(f, "%pMR %pMR %d %d\n",
1014 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1015 sk->sk_state, rfcomm_pi(sk)->channel);
1016 }
1017
1018 read_unlock(&rfcomm_sk_list.lock);
1019
1020 return 0;
1021}
1022
1023static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1024{
1025 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1026}
1027
1028static const struct file_operations rfcomm_sock_debugfs_fops = {
1029 .open = rfcomm_sock_debugfs_open,
1030 .read = seq_read,
1031 .llseek = seq_lseek,
1032 .release = single_release,
1033};
1034
1035static struct dentry *rfcomm_sock_debugfs;
1036
1037static const struct proto_ops rfcomm_sock_ops = {
1038 .family = PF_BLUETOOTH,
1039 .owner = THIS_MODULE,
1040 .release = rfcomm_sock_release,
1041 .bind = rfcomm_sock_bind,
1042 .connect = rfcomm_sock_connect,
1043 .listen = rfcomm_sock_listen,
1044 .accept = rfcomm_sock_accept,
1045 .getname = rfcomm_sock_getname,
1046 .sendmsg = rfcomm_sock_sendmsg,
1047 .recvmsg = rfcomm_sock_recvmsg,
1048 .shutdown = rfcomm_sock_shutdown,
1049 .setsockopt = rfcomm_sock_setsockopt,
1050 .getsockopt = rfcomm_sock_getsockopt,
1051 .ioctl = rfcomm_sock_ioctl,
1052 .poll = bt_sock_poll,
1053 .socketpair = sock_no_socketpair,
1054 .mmap = sock_no_mmap
1055};
1056
1057static const struct net_proto_family rfcomm_sock_family_ops = {
1058 .family = PF_BLUETOOTH,
1059 .owner = THIS_MODULE,
1060 .create = rfcomm_sock_create
1061};
1062
1063int __init rfcomm_init_sockets(void)
1064{
1065 int err;
1066
1067 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1068
1069 err = proto_register(&rfcomm_proto, 0);
1070 if (err < 0)
1071 return err;
1072
1073 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1074 if (err < 0) {
1075 BT_ERR("RFCOMM socket layer registration failed");
1076 goto error;
1077 }
1078
1079 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1080 if (err < 0) {
1081 BT_ERR("Failed to create RFCOMM proc file");
1082 bt_sock_unregister(BTPROTO_RFCOMM);
1083 goto error;
1084 }
1085
1086 BT_INFO("RFCOMM socket layer initialized");
1087
1088 if (IS_ERR_OR_NULL(bt_debugfs))
1089 return 0;
1090
1091 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1092 bt_debugfs, NULL,
1093 &rfcomm_sock_debugfs_fops);
1094
1095 return 0;
1096
1097error:
1098 proto_unregister(&rfcomm_proto);
1099 return err;
1100}
1101
1102void __exit rfcomm_cleanup_sockets(void)
1103{
1104 bt_procfs_cleanup(&init_net, "rfcomm");
1105
1106 debugfs_remove(rfcomm_sock_debugfs);
1107
1108 bt_sock_unregister(BTPROTO_RFCOMM);
1109
1110 proto_unregister(&rfcomm_proto);
1111}